paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2020-10935: Fix XSS vulnerability in local link rewriting.

Browse Source 
Make sure rewrite_local_links_to_relative does not accidentally change
the meaning of links.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
2020-03-23 19:48:32 -07:00
committed by Tim Abbott
parent c9796ba7f7
commit 64856d858e
2 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
zerver/lib/bugdown/__init__.py
View File

@@ -207,7 +207,11 @@ def rewrite_local_links_to_relative(db_data: Optional[DbData], link: str) -> str
if db_data:
realm_uri_prefix = db_data['realm_uri'] + "/"
if link.startswith(realm_uri_prefix):
if (
link.startswith(realm_uri_prefix)
and urllib.parse.urljoin(realm_uri_prefix, link[len(realm_uri_prefix):])
== link
):
return link[len(realm_uri_prefix):]
return link

21
zerver/tests/fixtures/markdown_test_cases.json vendored
View File

@@ -407,6 +407,17 @@
"input": "[ ](https://github.com)",
"expected_output": "<p><a href=\"https://github.com\" target=\"_blank\" title=\"https://github.com\">https://github.com</a></p>"
},
{
"name": "fragment_link",
"input": "[foo](http://zulip.testserver/#narrow/stream/1-Denmark)",
"expected_output": "<p><a href=\"#narrow/stream/1-Denmark\" title=\"#narrow/stream/1-Denmark\">foo</a></p>",
"marked_expected_output": "<p><a href=\"http://zulip.testserver/#narrow/stream/1-Denmark\" target=\"_blank\" title=\"http://zulip.testserver/#narrow/stream/1-Denmark\">foo</a></p>"
},
{
"name": "not_fragment_link",
"input": "[foo](http://zulip.testserver/https://example.com)",
"expected_output": "<p><a href=\"http://zulip.testserver/https://example.com\" target=\"_blank\" title=\"http://zulip.testserver/https://example.com\">foo</a></p>"
},
{
"name": "nl2br",
"input": "test\nbar",
@@ -1037,6 +1048,16 @@
"<p>[foo](javascript:&lt;i&gt;\"foo&amp;bar\"&lt;/i&gt;)</p>",
""
],
[
"http://zulip.testserver/#narrow/stream/1-Denmark",
"<p><a href=\"#narrow/stream/1-Denmark\" title=\"#narrow/stream/1-Denmark\">http://zulip.testserver/#narrow/stream/1-Denmark</a></p>",
""
],
[
"http://zulip.testserver/https://example.com",
"<p>%s</p>",
"http://zulip.testserver/https://example.com"
],
[
"a@b.com",
"<p>%s</p>",